PIOS
— Legal

Privacy Policy

VeritasIQ Technologies Ltd • Company No. 17120203
Effective date: 29 April 2026 • Last updated: 7 May 2026

1. Data Controller

VeritasIQ Technologies Ltd, 2A Connaught Avenue, London E4 7AA, United Kingdom (“we”, “us”, “our”). Contact: [email protected].

2. Personal Data We Collect

CategoryExamples
Account DataFull name, email address, hashed password, job title, organisation name
Profile & PreferencesPersona selection, calibration answers, interest tags
Content DataProjects, decisions, briefs, academic records, documents you upload
Usage & AnalyticsPages visited, features used, session duration (collected via Google Analytics 4 with your consent)
Technical DataIP address, browser type, device type, operating system, referral source
Communication DataConnected email metadata (subject lines, timestamps) if you link an email account

3. Legal Basis for Processing

  • Performance of a contract (Art. 6(1)(b) UK GDPR) — to provide and maintain the PIOS™ service.
  • Consent (Art. 6(1)(a)) — for analytics cookies. You may withdraw consent at any time via the cookie banner.
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, service security, and improving PIOS™.
  • Legal obligation (Art. 6(1)(c)) — where required by applicable law.

4. How We Use Your Data

  • Authenticate your account and manage sessions.
  • Deliver AI-powered features (briefs, decision analysis, coaching, synthesis).
  • Generate personalised content based on your persona and calibration profile.
  • Send transactional emails (magic-link sign-in, account notifications).
  • Analyse aggregate usage patterns to improve the platform (with your consent for analytics cookies).
  • Detect, prevent, and address technical issues and security threats.

5. Sub-processors & Third Parties

ProviderPurposeLocation
Abacus.AIApplication hosting, database, LLM inference, file storage, email deliveryUnited States
Google Analytics 4Website analytics (consent-based)United States
Google (OAuth / Calendar)Optional SSO and calendar syncUnited States
StripePayment processing for subscriptions and course purchasesUnited States
Microsoft Entra IDOptional SSO and Microsoft 365 integration (calendar, email)United States / Europe

Where data is transferred outside the UK, we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) as appropriate.

6. Data Retention

  • Account data: retained for the lifetime of your account plus 30 days after deletion.
  • Content data: deleted within 30 days of account deletion or upon your request.
  • Analytics data: Google Analytics data is retained for 14 months, then automatically deleted.
  • Magic-link tokens: expire and are purged after 30 minutes.
  • Server logs: retained for up to 90 days for security and debugging, then purged.

7. Your Rights Under UK GDPR

You have the right to:

  • Access — request a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data via your Settings page.
  • Erasure — request deletion of your account and all associated data.
  • Data portability — export your data in a machine-readable JSON format.
  • Restriction of processing — request we limit how we use your data.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — for analytics cookies, at any time via the cookie banner.

To exercise these rights, use the self-service options in Settings → Privacy within the app, or email [email protected]. We will respond within one calendar month.

8. Security Measures

  • Passwords hashed with bcrypt (cost factor 10) with enforced complexity policy (min 10 chars, mixed case, digits, special characters).
  • Magic-link tokens hashed with SHA-256 before storage; single-use with 30-minute expiry.
  • All connections encrypted via TLS 1.2+ with HSTS enforcement.
  • Sensitive financial data (bank details) encrypted at rest using AES-256-GCM.
  • OAuth tokens encrypted at rest using AES-256-GCM with per-record random IVs.
  • Content Security Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security headers on all responses.
  • JWT-based session management with 24-hour expiry and server-side validation.
  • Role-based access control with tenant isolation.
  • Rate limiting on authentication endpoints with brute-force detection and automatic blocking.
  • Input sanitisation against XSS, SQL injection, and path traversal on all auth endpoints.
  • File upload security: magic byte verification, MIME validation, blocked extension checks.
  • Automated security event logging and real-time threat monitoring.

9. Cookies

We use strictly necessary session cookies and, with your consent, Google Analytics cookies. For full details see our Cookie Policy.

10. Children’s Privacy

PIOS™ is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The “Last updated” date at the top reflects the most recent revision.

12. Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.

13. Contact Us

VeritasIQ Technologies Ltd
2A Connaught Avenue, London E4 7AA
[email protected]